CVE-2026-39361
Published: 07 April 2026
Summary
CVE-2026-39361 is a high-severity SSRF (CWE-918) vulnerability in Openobserve Openobserve. Its CVSS base score is 7.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 12.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SC-7 (Boundary Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation of URL inputs like enrichment_url to block internal IPv6 addresses, addressing the core parsing bypass flaw in validate_enrichment_url.
Enforces network boundary protections to isolate internal services such as cloud metadata endpoints from external access, mitigating SSRF exploitation even if application validation fails.
Mandates enforcement of information flow policies to restrict external authenticated requests from reaching internal network services via URL parameters.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing OpenObserve app enables exploitation (T1190); directly facilitates access to cloud metadata services (AWS IMDS, GCP, Azure) to retrieve IAM credentials (T1552.005).
NVD Description
OpenObserve is a cloud-native observability platform. In 0.70.3 and earlier, the validate_enrichment_url function in src/handler/http/request/enrichment_table/mod.rs fails to block IPv6 addresses because Rust's url crate returns them with surrounding brackets (e.g. "[::1]" not "::1"). An authenticated attacker can reach internal services…
more
blocked from external access. On cloud deployments this enables retrieval of IAM credentials via AWS IMDSv1 (169.254.169.254), GCP metadata, or Azure IMDS. On self-hosted deployments it allows probing internal network services.
Deeper analysisAI
CVE-2026-39361 is a vulnerability in OpenObserve, a cloud-native observability platform, affecting versions 0.70.3 and earlier. The issue resides in the validate_enrichment_url function within src/handler/http/request/enrichment_table/mod.rs, which fails to properly block IPv6 addresses. This occurs because Rust's url crate parses and returns IPv6 addresses with surrounding brackets (e.g., "[::1]" instead of "::1"), bypassing intended restrictions on internal IP access.
An authenticated attacker with low privileges can exploit this flaw over the network with low complexity and no user interaction, achieving high-impact confidentiality violations across a changed scope (CVSS 7.7). The vulnerability allows reaching internal services normally isolated from external access. In cloud deployments, attackers can retrieve IAM credentials via AWS IMDSv1 (169.254.169.254), GCP metadata service, or Azure IMDS. On self-hosted setups, it permits probing of internal network services.
The GitHub security advisory GHSA-gcwf-3p7h-wm79 and commit d1a5d8f65b432e2e82f83231390dec7f107e8d75 address the issue, with the commit providing the fix by correcting IPv6 handling in the validation function. Affected users should upgrade to a patched version beyond 0.70.3 to mitigate the risk.
Details
- CWE(s)